Shorewall and Linux-vserver

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

Note that you don't need to run Vservers to use vserver zones; they
may also be used to create a firewall sub-zone for each aliased
interface.

If you use these zones, keep in mind that Linux-vserver implements a
very weak form of network virtualization:

From a networking point of view, vservers live on the host
system. So if you don't use care, Vserver traffic to/from zone z will
be controlled by the fw->z and z->fw rules and policies rather
than by vserver->z and z->vserver rules and policies.

Outgoing connections from a vserver will not use the Vserver's
address as the SOURCE IP address unless you configure applications
running in the Vserver properly. This is especially true for IPv6
applications. Such connections will appear to come from the $FW zone
rather than the intended Vserver zone.

While you can define the vservers to be associated with the
network interface where their IP addresses are added at vserver
startup time, Shorewall internally associates all vservers with the
loopback interface (lo). Here's an
example of how that association can show up:

While the IP addresses 70.90.191.124 and 70.90.191.125 are
configured on eth1, the actual interface name is irrelevant so long as the
interface is defined in shorewall-interfaces (5).
Shorewall will consider all vserver zones to be associated with the
loopback interface (lo). Note that the
routeback option is required if the
vservers are to be able to communicate with each other.

Once a vserver zone is defined, it can be used like any other zone
type.

Note that I choose to place the Vservers on sit1 (the IPv6 net
interface) rather than on eth1. Again, it really doesn't matter
much.

Sharing an IPv6 /64 between Vservers and a LAN

I have both a /64 (2001:470:b:227::/64) and a /48
(2001:470:e857::/48) from Hurricane Electric. When I first
set up my Vserver configuration, I assigned addresses from the /48 to the
Vservers as shown above.

Given that it is likely that when native IPv6 is available from my
ISP, I will only be able to afford a single /64, in February 2011 I
decided to migrate my vservers to the /64. This was possible because of
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
is as shown below:

This change was accompanied by the following additions to
/etc/shorewall6/proxyndp: